topic IOC Feed from Infoblox in Firewall and Security Management

IOC Feed from Infoblox

SriniKrish — Wed, 10 Jan 2024 06:13:43 GMT

Hello,

I am trying to get Exernal Threat Intel feed for DNS from Infoblox but the expected format from CP is different from the API request format I get from Infoblox.

Has anyone tried this before ? I am not sure how to feed in the API Key into the feed URL.

Below is the API Request format from IB and I have attached the smartconsole parameters in CP for the IOC feed.

curl -X GET -H "Authorization: Token token=<API_KEY>" "https://csp.infoblox.com/tide/api/data/threats?type=host&type=ip&type=url&type=email&type=hash"

Appreciate any directions here !

Cheers,

Srini

Re: IOC Feed from Infoblox

phoneboyapi — Tue, 16 Jan 2024 18:55:57 GMT

What format does Infoblox provide information in?
If it's JSON, I recommend upgrading to R81.20 and using the Network Feeds option, which can read JSON with a provided jq filter.
If your IOC feed is large, you should upgrade to R81.20 as the supported number of IoCs is much higher (at least 2 million IoCs have been tested) and they are imported significantly faster to boot.

Re: IOC Feed from Infoblox

the_rock — Tue, 16 Jan 2024 19:29:24 GMT

Let me test it in my R81.20 lab

Andy

Re: IOC Feed from Infoblox

the_rock — Tue, 16 Jan 2024 19:43:20 GMT

this worked for me

Re: IOC Feed from Infoblox

Blason_R — Wed, 17 Jan 2024 03:07:21 GMT

Those feeds are only available to Infoblox customers or are those open to anyone to test that out?

Re: IOC Feed from Infoblox

SriniKrish — Wed, 17 Jan 2024 06:49:30 GMT

Interesting !

How did you key in the API key ? I don't see an option in the IOC Feed pop up dialog.

Regards,

Srini

Re: IOC Feed from Infoblox

SriniKrish — Wed, 17 Jan 2024 06:51:12 GMT

Infoblox customers only. But you can set up a test environment with 60 day licensing and it pretty much gives access to DHCP, DNS and Threat feeds as well.

Regards,

Srini

Re: IOC Feed from Infoblox

SriniKrish — Wed, 17 Jan 2024 06:57:24 GMT

It is pretty much in the format above. I did try to feed through Mgmt_cli but getting the API key across has been challenge. I see Andy was able to connect via the Smartconsole. keen to know how he used the API key.

Srini

Re: IOC Feed from Infoblox

the_rock — Wed, 17 Jan 2024 12:28:06 GMT

I just did it exactly how you see in the screencap, via smart console.

Andy

Re: IOC Feed from Infoblox

SriniKrish — Wed, 17 Jan 2024 12:35:18 GMT

Sorry I don't understand. there are no fields to key in the API key. How will it map user authentication in the cs portal without the API key ?

Re: IOC Feed from Infoblox

the_rock — Wed, 17 Jan 2024 13:21:32 GMT

K, I gotcha now. Sorry, I just tested the actual link in the smart console feed menu, thats all.

You may need to confirm with TAC.

Andy

Re: IOC Feed from Infoblox

the_rock — Wed, 17 Jan 2024 13:56:04 GMT

Here is file I created and worked fine. Just convert it to csv format to import.

Andy

Re: IOC Feed from Infoblox

SriniKrish — Thu, 18 Jan 2024 05:11:07 GMT

Hi Andy,

I tried the same by using the api service username and API key as password in the Advanced field and it did accept.

IS there a way to validate if it is receiving any feeds at all ?

Cheers,

Srini

Re: IOC Feed from Infoblox

the_rock — Thu, 18 Jan 2024 12:43:17 GMT

https://support.checkpoint.com/results/sk/sk132193